Home

Description

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

PUBLISHED Reserved 2026-04-16 | Published 2026-05-07 | Updated 2026-05-07 | Assigner vmware




MEDIUM: 4.4CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-532: Insertion of Sensitive Information into Log File

Product status

Default status
unaffected

3.1.0 (custom) before 3.1.14
affected

4.1.0 (custom) before 4.1.10
affected

4.2.0 (custom) before 4.2.7
affected

4.3.0 (custom) before 4.3.3
affected

5.0.0 (custom) before 5.0.3
affected

References

spring.io/security/cve-2026-41004

cve.org (CVE-2026-41004)

nvd.nist.gov (CVE-2026-41004)

Download JSON